File name:

0e4f5b9f3d229619099838e7f75bf178.exe

Full analysis: https://app.any.run/tasks/07aae0cb-30ce-4447-8446-b744f71de666
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 07:22:31
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

0E4F5B9F3D229619099838E7F75BF178

SHA1:

245AC00FB4AE9A1976727E216A767755AF97DEBD

SHA256:

62FD0F69BD2E8681EB05BA1BA2A0F81973E90FF7C792B7E9E8051D2F4CA28093

SSDEEP:

49152:iUYP78uT/ExV6aqn5YfIthAFqNvWTtvkOCN:Y78uT/ExED5YwIqtHN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Potential Corporate Privacy Violation

      • explorer.exe (PID: 4488)

    • Executable content was dropped or overwritten

      • 0e4f5b9f3d229619099838e7f75bf178.exe (PID: 6316)

    • Process requests binary or script from the Internet

      • explorer.exe (PID: 4488)

  • INFO

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4488)

    • Creates files or folders in the user directory

      • 0e4f5b9f3d229619099838e7f75bf178.exe (PID: 6316)

    • The process uses the downloaded file

      • explorer.exe (PID: 4488)

    • Create files in a temporary directory

      • 0e4f5b9f3d229619099838e7f75bf178.exe (PID: 6316)
      • explorer.exe (PID: 4488)

    • Reads the machine GUID from the registry

      • 0e4f5b9f3d229619099838e7f75bf178.exe (PID: 6316)

    • Checks proxy server information

      • explorer.exe (PID: 4488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:26 09:56:22+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 777728
InitializedDataSize: 242688
UninitializedDataSize: -
EntryPoint: 0x5d333
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 2.0.0.1051
ProductVersionNumber: 2.0.0.1051
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Unknown (0004)
CharacterSet: Unicode
CompanyName: 360.cn
FileDescription: InstallSoft.exe
FileVersion: 2, 0, 0, 1051
InternalName: InstSoft.exe
LegalCopyright: (C) 360.cn All Rights Reserved.
OriginalFileName: InstallSoft.exe
ProductVersion: 2, 0, 0, 1051
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 0e4f5b9f3d229619099838e7f75bf178.exe explorer.exe 0e4f5b9f3d229619099838e7f75bf178.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3140"C:\Users\admin\Desktop\0e4f5b9f3d229619099838e7f75bf178.exe" C:\Users\admin\Desktop\0e4f5b9f3d229619099838e7f75bf178.exeexplorer.exe
User:
admin
Company:
360.cn
Integrity Level:
MEDIUM
Description:
InstallSoft.exe
Exit code:
3221226540
Version:
2, 0, 0, 1051
Modules
Images
c:\users\admin\desktop\0e4f5b9f3d229619099838e7f75bf178.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4488C:\WINDOWS\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\smartscreenps.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
6316"C:\Users\admin\Desktop\0e4f5b9f3d229619099838e7f75bf178.exe" C:\Users\admin\Desktop\0e4f5b9f3d229619099838e7f75bf178.exe
explorer.exe
User:
admin
Company:
360.cn
Integrity Level:
HIGH
Description:
InstallSoft.exe
Version:
2, 0, 0, 1051
Modules
Images
c:\windows\syswow64\windowscodecs.dll
c:\windows\syswow64\dwrite.dll
c:\windows\syswow64\textshaping.dll
c:\windows\syswow64\cabinet.dll
c:\windows\syswow64\devrtl.dll
c:\users\admin\appdata\local\temp\rfztrwibagxdfxau\360ini.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\userenv.dll
c:\windows\syswow64\msimg32.dll
c:\windows\syswow64\netapi32.dll
Total events
1 342
Read events
1 332
Write events
10
Delete events
0

Modification events

(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000701F2
Operation:writeName:VirtualDesktop
Value:
1000000030304456A48A294F7A40804AB924005FF030B61F
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010014000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C00000016000000000000006100700070006C00690063006100740069006F006E006100690072002E007200740066003E0020002000000017000000000000006100700070006C00690063006100740069006F006E0069006400650061002E006A00700067003E0020002000000012000000000000006200650074007400650072006D007500730074002E0070006E0067003E00200020000000110000000000000062007500730068006D0061006B00650073002E006A00700067003E002000200000001100000000000000630061007300650063006C006100730073002E007200740066003E00200020000000120000000000000067006F006C006400750073006500660075006C002E007200740066003E00200020000000180000000000000068006900670068006500730074006F007000650072006100740069006F006E002E007200740066003E0020002000000019000000000000006E0061007600690067006100740069006F006E0073007500720066006100630065002E006A00700067003E002000200000001300000000000000730065006300740069006F006E0073006100760065002E007200740066003E0020002000000012000000000000007300750062006A0065006300740074006F0070002E007200740066003E00200020000000110000000000000079006F00750072006D0061006B00650073002E006A00700067003E002000200000002800000000000000300065003400660035006200390066003300640032003200390036003100390030003900390038003300380065003700660037003500620066003100370038002E006500780065003E0020002000000001000000000000000200010000000000000000000100000000000000020001000000000000000000110000000600000001000000140000000000000000000000000000000000000040400000803F13000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A040110000004040000000001200000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(4488) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
C5E05B6700000000
(PID) Process:(6316) 0e4f5b9f3d229619099838e7f75bf178.exeKey:HKEY_CURRENT_USER\SOFTWARE\360iniconfig_elfsnow
Operation:writeName:dwCallId
Value:
3112803
(PID) Process:(6316) 0e4f5b9f3d229619099838e7f75bf178.exeKey:HKEY_CURRENT_USER\SOFTWARE\360iniconfig_elfsnow
Operation:writeName:dwDllVer
Value:
2001309
(PID) Process:(6316) 0e4f5b9f3d229619099838e7f75bf178.exeKey:HKEY_CURRENT_USER\SOFTWARE\360iniconfig_elfsnow
Operation:writeName:dwLHP
Value:
2
Executable files
2
Suspicious files
43
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4488explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
63160e4f5b9f3d229619099838e7f75bf178.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\360ini[1].cabcompressed
MD5:30004B6B26FB66A5781B85EC35F0C9ED
SHA256:9F875BAF7ED0862E6A73FFDB5984DF721066792475EFE6940813013CC86D73D2
63160e4f5b9f3d229619099838e7f75bf178.exeC:\Users\admin\AppData\Local\Temp\360ini.cabcompressed
MD5:30004B6B26FB66A5781B85EC35F0C9ED
SHA256:9F875BAF7ED0862E6A73FFDB5984DF721066792475EFE6940813013CC86D73D2
63160e4f5b9f3d229619099838e7f75bf178.exeC:\Users\admin\AppData\Local\Temp\{5D49F137-2A43-4a72-A837-3C0FCFD19256}.tmpbinary
MD5:CD955FFBA5CB93F2ABED5A115E5B04B2
SHA256:9165D471161D0F84B3B3EE1A0F1939EAD7AD3CFEB7648C29279CC6B291F75D96
63160e4f5b9f3d229619099838e7f75bf178.exeC:\Users\admin\AppData\Local\Temp\{BFB8DDE6-70C1-40b3-B23E-149EF3CADC5D}.tmpbinary
MD5:931123665CA0C53D14D39CFC61EEF30F
SHA256:38378BDBF4968686EC07F724BC7306273B1FD9A19A134985EDE1437D647510F9
63160e4f5b9f3d229619099838e7f75bf178.exeC:\Users\admin\AppData\Local\Temp\{D1CAD955-676D-4068-A4BA-A84B0CD7AF51}.tmpbinary
MD5:AC53E229B6F98A6E4D8E5C3A477E0B71
SHA256:A897AEB2C06B438421A6D8DBC43955A92AFC2FA630145FEE9D81CBA4756873BE
63160e4f5b9f3d229619099838e7f75bf178.exeC:\Users\admin\AppData\Local\Temp\{E7F4F9C8-526F-4db0-AF98-A1DA59208B60}.tmpbinary
MD5:D1F1A714FE214B2BDBFDD167DEFFA873
SHA256:2FF2409147F181913A107687A83CE250015091917ED197F16D7377CB885E796C
63160e4f5b9f3d229619099838e7f75bf178.exeC:\Users\admin\AppData\Local\Temp\{50EA6D4F-1BD0-48e8-AC3B-B1C3E8D3953D}\qXaJhIdOwDvQyPfN.tmpbinary
MD5:A0B46DE3FCE878F3D337A69C6C61EF55
SHA256:131DEBC772BCC46BDE2B3E2D60FB52755BFC02DC9E79D5A0D31E716257082757
63160e4f5b9f3d229619099838e7f75bf178.exeC:\Users\admin\AppData\Local\Temp\{46FBEC29-8F05-4e0e-A3F7-23BE6E2ABFAB}.tmpbinary
MD5:08D9A2CCD1B35C5D05EB3FBBB75CE387
SHA256:27178EEEDD4476C72D1B5FC3D284391C743C548B48EA32373478D5007209C4BD
63160e4f5b9f3d229619099838e7f75bf178.exeC:\Users\admin\AppData\Local\Temp\{75FE7134-9876-46ae-A789-DADB68286780}.tmpbinary
MD5:9D2A31ECFC2A17A69C48DA7A37282B5A
SHA256:C46949B5EAE198356BE275371116572430BF8957F339431BDE00AD6CC0BB4BCD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
60
DNS requests
23
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
GET
200
101.198.193.210:80
http://baoku.360.cn/tools/downloadSoftware?filename=%30%65%34%66%35%62%39%66%33%64%32%32%39%36%31%39%30%39%39%38%33%38%65%37%66%37%35%62%66%31%37%38%5f%5f&m2=fe9694f777e256d0cc4755a6dd1f6ad7651f60d32bec&mid=80342cb959da2233832ae840f019ccba&rand=1734074556&ver=2.0.0.1051&sign=ac11f0633a8fd5a3cd3a5efc47021651
unknown
whitelisted
6316
0e4f5b9f3d229619099838e7f75bf178.exe
HEAD
200
111.7.66.168:80
http://sfdl.360safe.com/gf/360ini.cab
unknown
whitelisted
6316
0e4f5b9f3d229619099838e7f75bf178.exe
GET
200
180.163.251.230:80
http://s.360.cn/safe/instcomp.htm?soft=2023040419&status=1&pid=3112803&mid=80342cb959da2233832ae840f019ccba&m2=fe9694f777e256d0cc4755a6dd1f6ad7651f60d32bec
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.153:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
101.198.193.210:443
baoku.360.cn
Beijing Qihu Technology Company Limited
CN
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
google.com
  • 142.250.186.78
whitelisted
www.bing.com
  • 104.126.37.153
  • 104.126.37.171
  • 104.126.37.179
  • 104.126.37.170
  • 104.126.37.163
  • 104.126.37.161
  • 104.126.37.155
  • 104.126.37.178
  • 104.126.37.160
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
baoku.360.cn
  • 101.198.193.210
whitelisted
login.live.com
  • 20.190.159.71
  • 20.190.159.75
  • 40.126.31.67
  • 20.190.159.64
  • 20.190.159.2
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.23
whitelisted
go.microsoft.com
  • 23.218.210.69
whitelisted
s.360.cn
  • 180.163.251.230
  • 180.163.251.231
  • 171.8.167.90
  • 171.13.14.66
whitelisted

Threats

PID
Process
Class
Message
4488
explorer.exe
Misc activity
ET INFO Packed Executable Download
4488
explorer.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
0e4f5b9f3d229619099838e7f75bf178.exe